Moderate severityNVD Advisory· Published Aug 21, 2022· Updated Aug 3, 2024

Cross-site Scripting (XSS) - Stored in yetiforcecompany/yetiforcecrm

CVE-2022-2885

Description

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
yetiforce/yetiforce-crmPackagist	< 6.4.0	6.4.0

Affected products

Yetiforcecompany/Yetiforcecompany/yetiforcecrmv5
Range: unspecified

Patches

a9ad9ee089b5

Improved input data cleanup

https://github.com/yetiforcecompany/yetiforcecrmMariusz KrzaczkowskiAug 13, 2022via ghsa

commit

2 files changed · +3 −3

config/version.php+2 −2 modified

@@ -1,7 +1,7 @@
 <?php
 
 return [
-	'appVersion' => '6.3.427',
-	'patchVersion' => '2022.08.12',
+	'appVersion' => '6.3.428',
+	'patchVersion' => '2022.08.13',
 	'lib_roundcube' => '0.3.0',
 ];

modules/Rss/models/Record.php+1 −1 modified

@@ -73,7 +73,7 @@ public function setRssObject($rss)
 	public function setRssValues($rss)
 	{
 		$this->set('rsstitle', \App\Purifier::purifyByType((string) $rss->title, 'Text'));
-		$this->set('url', $rss->link);
+		$this->set('url', \App\Purifier::purifyByType((string) $rss->link, 'Text'));
 	}
 
 	/**

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rjvc-mf7r-ch7rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-2885ghsaADVISORY
github.com/yetiforcecompany/yetiforcecrm/commit/a9ad9ee089b575855b9e5e202b4990a15811e8d2ghsax_refsource_MISCWEB
huntr.dev/bounties/edeed309-be07-4373-b15e-2d1eb415eb89ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000